FAQ & Knowledgebase

Recommended Best mod_security Rules for Secure Web Servers

Mod_security is a popular Apache plugin that serves as a Web Application Firewall, screening requests coming in to the webserver based on a set of configurable rules.

The "best rules" for mod_security are often requested, although there is not a ruleset that is absolutely the best. Every website and application has slightly different circumstances, which will require some fine-tuning of the rules to make sure they are strict enough to be protective, but not so strict as to disallow normal users.

We recommend the rules below, which help to screen command injection and other forms of web-based attacks. You should copy the entire text of these rules (or whichever rules you would like to activate) into your modsec2.user.conf configuration file, or the configuration file your mod_security installation has setup for user-configurable rules.

SecRule REQUEST_METHOD "^(?:GET|HEAD)$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'GET or HEAD requests with bodies', severity:'2',id:'960011',tag:'PROTOCOL_VIOLATION/EVASION'"

SecRule REQUEST_HEADERS:Content-Length "!^0?$" t:none

# Require Content-Length to be provided with every POST request.

SecRule REQUEST_METHOD "^POST$" "chain,phase:2,t:none,deny,log,auditlog,status:400,msg:'POST request must have a Content-Length header',id:'960012',tag:'PROTOCOL_VIOLATION/EVASION',severity:'4'"

SecRule &REQUEST_HEADERS:Content-Length "@eq 0" t:none

# Don't accept transfer encodings we know we don't know how to handle

SecRule REQUEST_HEADERS:Transfer-Encoding "!^$" "phase:2,t:none,deny,log,auditlog,status:501,msg:'ModSecurity does not support transfer encodings',id:'960013',tag:'PROTOCOL_VIOLATION/EVASION',severity:'3'"